Save registry file outside share as unprivileged user in Samba 4.x

Author: Michael Hanselmann. Updated: April 15, 2019.

Samba is a free software re-implementation of the SMB networking protocol used by Microsoft Windows. In March 2018 I found a vulnerability and reported it to the project using responsible disclosure where it was discussed in bug 13851. The vulnerability ID CVE-2019-3880 was assigned. The following bugfix releases were made on April 8, 2019:

Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, winreg_SaveKey, is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to save a registry hive file anywhere they have write access, even outside a Samba share.

As far as the author is aware and can determine unprivileged users can't, by default, modify registry keys in Samba. As such they can't control the content of the file. If they could it'd be conceivable to be able to inject code (depending on the configuration shells ignore errors to a certain degree, though in this particular case the NUL bytes would prove a challenge).

The reproduction below demostrates how an unprivileged user (“vagrant”) can create a registry hive file in /home/vagrant. This is a scenario which can happen if such users don't have shell access (e.g. local or SSH), but can authenticate against Samba shares.

Note that if the user knows the path of a pre-existing symlink pointing to the desired destination they don't even need write access to a share. The code validating the path given to winreg_SaveKey in srv_winreg_nt.c:validate_reg_filename accepts any share path as a path prefix. The very same net rpc registry save command would also work if the following were the only share and the symlink in /srv/data already existed: